Fear over fallout from data breaches doesn’t just plague national security agencies and mega-corporations.
Take investors’ unease over the security lapses that triggered the Panama Papers “exposé,” couple it with the recent lawsuit that seeks outsized damages against a law firm for allegedly slipshod efforts to protect client data, and it all adds up to an unsettling climate for investment houses, banks, law firms, and insurance providers.
Why has institutional liability on data breaches escalated so abruptly? The Panama Papers demonstrated to investors that sensitive financial transactions previously believed secure could be hacked, “exposed,” and, once activist groups got a hold of them, misrepresented. The stakes, moreover, are considerably higher now that leading plaintiffs’ firm Edelson PC is suing a still-unnamed Chicago-based “regional law firm” in a putative privacy class action for failing to maintain adequate vigilance over client data.
One thing is certain: that Chicago firm will soon have a lot of company. As hacking becomes more pervasive, plaintiffs’ advocates everywhere no doubt see a target-rich environment. Edelson acknowledges that it is using the Chicago suit as a “road map” for future litigation.
Given the recent spate of suspected hacking at such firms as Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, that map will likely point toward many more law firms. And not just for their own cyber management deficiencies: In the Southern District of New York this spring, federal prosecutors began examining the nexus between hacking and insider trading. This past winter in Chicago, a cybersecurity firm warned that foreign-based hackers looking for insider information had targeted some four dozen leading law firms.
It’s a perfect storm in the making. Here are a few suggestions as to how firms should prepare themselves for potentially hostile scrutiny of their client data safeguards.
Expect the worst: What if client lists became public? Or compensation models got leaked? Or that ultra-confidential merger gets compromised? Plan now for how to engage staff and clients to restore trust.
Identify biggest areas of vulnerability: Are employees being trained in best practices such as encrypting files at home and on the road? Are employees using Dropbox or other dangerously unsecure cloud systems? Is the firm routinely “penetration testing” its system? Does a firm have a crisis plan that anticipates the scenarios above? Who are the decision-makers for such an incident? Is it a small but senior group of leaders who can eliminate the dithering and make decisions quickly?
Take extraordinary measures: Role-play worst-case scenarios in a tabletop exercise or drill. Walk through the process. Use a trusted member of the firm and an outside advisor to create a particularly difficult scenario. Invite other staff to play real-life employees who would act–or overreact–to a serious situation.
In this new “gotcha” cyber-security climate, the rules of engagement are changing. The best law firms help clients assess and handle risk to their brand and business operations. Attorney: heal thyself. Data breaches have now moved to the top of risks that every law firm has to confront. It is a far easier thing to do to preserve trust by acting now than to try to restore trust by acting later.
Richard S. Levick, Esq. is Chairman and CEO of LEVICK, a global strategic communications and public affairs firm.